Be careful when receiving emails with QR codes because Quishing (phishing with QR codes) has evolved to be as dangerous as never before, experts warn.
A report from Perception point has outlined one such campaign and claims that it is capable of bypassing most email security solutions.
The attack is just like any other QR code phishing attack: the recipient receives an email containing a QR code. They scan it and it takes them to a fake Microsoft 365 landing page, where they enter their login credentials and essentially share them with the crooks. However, since most email security solutions these days come with QR code scanners, simply sending the image in the email isn’t enough. Such emails are simply blocked. That’s why scammers have come up with a creative new way to bypass the protections.
Two QR codes
As Perception Point explains, the campaign involves abusing two legitimate services: SharePoint and me-qr.com. SharePoint is a Microsoft-built, web-based platform for collaboration, document management, and content sharing. Me-QR.com is a website where users can create and manage QR codes.
The landing page is hosted on SharePoint. Me-QR.com is used as an additional obfuscation layer, so that the scanners cannot read what the QR code points to.
Here’s how the scam works: The recipient receives the usual phishing email, containing a .PDF attachment that is a purchase order, an invoice, or something similar. When they open it, there is a QR code that points to me-QR.com. Because this is a legitimate service, the code passes security scans.
When the victim scans this code, he or she is redirected to me-QR.com, where the service scans a second QR code (a malicious code, most likely blocked by email security). This code leads to SharePoint, where the phishing page is hosted.
Perception Point calls this tactic “Quishing 2.0” and describes it as very advanced.
The best way to protect yourself from spam remains the same: be suspicious of all incoming emails and use common sense when opening attachments.